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CLAIMS: 

L A method for anonymously indexing an electronic record system, the method 
comprising: 

storing an asymmetric cryptographic private key under the control of a portable 
5 storage device of a registered user; 

storing an anonymous public key certificate, the anonymous public key 
certificate being associated with an asymmetric cryptographic public key matching the 
asj/mmetric cryptographic private key; 

providing the portable storage device with information for associating the 
10 registered user with the portable storage device; and 

indexing within an electronic record system phonal iofonnation of tibie 
registered user, whereby association of the information with liie registered tiser is 
anonymously verifiable by use of the anonymous public key certificate. 

15 2. The method of claim 1 wherein the portable storage device is provided with 
human readable information for associating the registered user with the portable storage 
device. 

3. The method of claim 1 wherein the portable storage device is provided with 
20 machine readable information for associating the registered user with the portable 

storage device upon presentation of the portable storage device, 

4. The method of any one of claims 1 to 3 whereia the portable storage device is a 
smartcard. 

5. The method of any one of claims 1 to 3 wherein the portable storage device is an 
electronic passport. 

6. The method of any one of claims 1 to 5 wherein the indexing comprises 
30 associating with each item of personal information of the registered user an electronic 

record pointer, and wherein the anonymous public key certificate contains the 
electronic record pointer. 

7. The method of any one of claims 1 to 6 wherein the anonymous public key 
35 certificate contains a personal data component. 



wo 2005/088899 



PCT/AU2005/000364 



23 

8. The method of claim 7 wherein the personal data component comprises 
biometric data of the registered user. 

9. The method of any one of claims 1 to 8, wherein storing of the asymmetric 
5 cryptographic private key mider the control of the portable storage device comprises 

storing the asymmetric cryptographic private key in the portable storage device, 

10. The method of any one of claims 1 to 8, wherein storing of the asymmetric 
cryptographic private key under the control of the portable storage device comprises 

10 storing an access code in the portable storage device allowing access to the asymmetric 
cryptographic private key, 

1 1 . The method of any one of claims 1 to 8, wherein storing of the asymmetric 
cryptographic private key imder the control of the portable storage device comprises 

• 15 copjdng the asymmetric cryptographic private key into the possession of an authorised 
user. 

12. The method of claim 11 wherein the copied asymmetric cryptographic private 
key in the possession of the user is caused to be deleted upon occurrence of a 

20 predetermined event. 

13. The method of claim 12 wherein the predetermined event is the authorised user 
entering an update to the indexed personal information of the registered user. 

25 14. The method of claim 12 wherein the predetermined event is lapsing of an 
authorisation period. 

15. The method of any one of claims 1 1 to 14 wherein the authorised user is a health 
care professional authorised by the registered user to enter an update to the registered 

30 user's indexed personal information. 

1 6. An anonymously indexed electronic record system comprising: 

a portable storage device for a registered user, an asymmetric cryptographic 
private key being xmder the control of the portable, storage device, the portable storage 
35 device being provided with information for associating the registered user with the 
portable storage device; 
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a stored anonymous public key certificate associated with an as3aiimetric 
cryptographic pubhc key matching the asymmetric cryptographic private key, 

an electronic storage indexing personal information of the registeared user, 
whereby association of the information vnih the registered user is anonymously 
5 verifiable by use of the anonymous public key certificate. 

17. The system of claim 16 wherein the portable storage device is provided with 
human readable information for associating the registered user with the portable storage 
device. 

10 

18. The system of claim 16 wherein the portable storage device is provided with 
machine readable information for associating the registered user with the portable 
storage device upon presentation of the portable storage device, 

15 19. The system of any one of claims 16 to 18 wherein the portable storage device is 
a smartcard. 

20. The system of any one of claims 16 to 18 wherein the portable storage device is 
an electronic passport. 

20 

21. The system of any one of claims 16 to 20 wherein the electronic storage indexes 
the personal information by having associated with each item of personal information 
of the registered user an electronic record pointer, and wherein the anonymous public 
key certificate contains tihe electronic record pointer. 

25 

22. The system of any one of claims 16 to 21 wherein the anonymous public key 
certificate contains a personal data component. 

23. The system of claim 22 wherein the personal data component comprises 
3 0 biometric data of the registered user. 

24. The system of. any one of claims 16 to 23, wherein the as^omnetric 
cryptographic private key is stored in the portable storage device. 
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25. The system of any one of claims 16 to 23, wherein an access code is stored in 
the portable storage device allowing access to the asymmetric ayptographic private 
key, 

5 26. The system of any one of claims 16 to 23, wherein the asymmetric 
cryptographic private key can be copied with the registered user's authorisation into the 
possession of an authorised user. 

27. The system of claim 26 wherein the copied asymmetric cryptographic private 
10 key in the possession of the user is caused to be deleted upon occurrence of a 

predetermined event 

28. The system of claim 27 wherein the predetermined event is the authorised user 
entering an update to the indexed personal information of the registered user. 

15 

29. The system of claim 27 wherein the predetermined event is lapsing of an 
authorisation period, 

30. The system of any one of claims 26 to 29 wherein the authorised user is a health 
20 care professional authorised by the registered user to enter an update to the registered 

user's indexed personal information. 

31. A portable storage device for a registered user of an anonymously indexed 
electronic record system, the portable storage device being provided with information 

25 for associating the registered user with the portable storage device, wherein an 
asymmetric cryptographic private key is under the control of the portable storage 
device, wherein an anonymous public key certijBcate is associated with an asymmetric 
cryptographic public key matching the asymmetric cryptographic private key, and 
wherein association of anonymously indexed personal information with the xxser is 

30 anonymously verifiable by use of the anonymous public key certificate. 

32. The device of claim 31 wherein the portable storage device is provided with 
human readable information for associating the registered user with the portable storage 
device. 

35 
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33, The device of claim 31 wherein the portable storage device is provided with 
machine readable information for associating the registered user with the portable 
storage device upon presentation of the portable storage device, 

5 34. The device of any one of claims 31 to 33 wherein the portable storage device is 
a smartcard. 

35. The device of any one of claims 31 to 33 wherein the portable storage device is 
an electronic passport. 

10 

36. The device of any one of claims 31 to 35 wherein the personal information is 
anonymously indexed by having associated with each item of personal information of 
the registered user an electronic record pointer, and wherein the anonymous pubUc key 
certificate contains the electronic record pointer. 

15 

37. The device of any one of claims 31 to 36 wherein the anon3anous public key 
certificate contains a personal data component. 

38. The device of claim 37 wherein the personal data component comprises 
20 biometric data of the registered user, 

39. The device of any one of claims 31 to 38, wherein the asyrometric cryptographic 
private key is stored in the portable storage device. 

25 40. The device of any one of claims 3 1 to 38, wherein an access code is stored in the 
portable storage device allowing access to the asymmetric cryptographic private key. 

41 . The device of any one of claims 3 1 to 38, wherein the asymmetric cryptographic 
private key can be copied with the registered user's authorisation firom the portable 

30 storage device into the possession of an authorised user. 

42. The device of claim 41 wherein the copied asymmetric cryptographic private 
key in the possession of the user is caused to be deleted upon occurrence of a 
predetermined event. 
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43 . The device of claim 42 wherein the predetermined event is the authorised user 
entering an update to the indexed personal information of the registered user. 

44. The device of claim 42 wherein the predetermined event is lapsing of an 
5 authorisation period. 

45. The device of any one of claims 41 to 44 wherein the authorised user is a health 
care professional authorised by the registered user to enter an update to the registered 
user's indexed personal information. 

10 

46. An electronic storage for an anonymously indexed electronic record system, the 
electronic storage indexing personal infomiation of a registered user, wherein 
association of the personal information with the registered luser is anonymously 
verifiable by use of an anonymous public key certificate associated with an asymmetric 

1 5 cryptographic public key matching an asymmetric cryptographic private key imder the 
control of a portable storage device of the registered user. 

47. The electronic storage of claim 46 wherein the personal information is 
anonymously indexed by having associated with each item of personal information of 

20 the registered user an electronic record pointer, and wherein the anonymous public key 
certificate contains the electronic record pointer. 

48. The electronic storage of claim 46 or claim 47 wherein the anonymous pubUc 
key certificate contains a personal data component. 

25 

49. The electronic storage of claim 48 wherein the personal data component 
comprises biometric data of the registered user. 

50. The electronic storage of any one of claims 46 to 49, wherein the asymmetric 
30 cryptographic private key is stored in the portable storage device. 

51. The electronic storage of any one of claims 46 to 49, wherein an access code is 
stored in the portable storage device allowing access to the asynunetric cryptographic 
private key. 
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52. The electronic storage of any one of claims 46 to 549, wherein the asymmetric 
cryptographic private key can be copied with the registered usefs authorisation from 
the portable storage device into the possession of an authorised user. 

5 53. The electronic storage of claim 52 wherein the copied asynametric cryptographic 
private key in the possession of the user is caused to be deleted upon occurrence of a 
predetermined event 

54. The electronic storage of claim 53 wherein the predetermined event is the 
1 0 authorised user entering an update to the indexed personal information of the registered 

user. 

55. The electronic storage of claim 53 wherein the predetermined event is lapsing of 
an authorisation period. 

15 

56. The electronic storage of any one of claims 52 to 55 wherein the authorised user 
is a health care professional authorised by the registered user to enter an update to the 
registered user's indexed personal information. 

20 57. A method of issuing Public Key Certificates to Registered Persons within an 
electronic record system, the method comprising the steps of: 

Issuing on behalf of each Registered Person whose personal information is 
held within an electronic record system a portable personal computing 
device with the ability to control the storage of one or more asymmetric 

25 cryptographic Private Keys. 

Visibly printing upon the surface of the personal computing device human 
readable identity information pertaining to the Registered Person. 
Generation of at least one pair of matching asynametric cryptographic 
Private and Public Keys. 

30 - Storage of at least one of the asynmietric cryptographic Private Keys 

under the control of the portable personal computing device. 
Creation on behalf of each Registered Person a Public Key Certificate for 
each asymmetric cryptographic Pubhc Key which matches each 
asymmetric cryptographic Private Key stored under the control of the 

3 5 portable personal computing device. 
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Inclusion in one or more of the Public Key Certificates one or more 
electronic record pointers with which personal information pertaining to 
the Registered Person may be indexed within the electronic record system. 
Issuance of the Public Key Certificate(s) to the Registered Persons. 

5 

58. The method according, to claim 57 wherein the asymmetric cryptographic 
Private Key is stored within the portable personal computing device. 

59. The method according to claim 57 wherein the asymmetric cryptographic 
10 Private Key is stored in an external computer system separate from the portable 

personal computing device where the external computer system is accessed under tiie 
control of the portable personal computing device. 

60. The method according to any one of claims 57 to 59 wherein the portable 
15 personal computing device is a smartcard. 

61. The method according to any one of claims 57 to 60 wherein the Public Key 
Certificate does not contain the name of the Registered Person to whom the Public Key 
Certificate has been issued. 

20 

62. The method according to any one of claims 57 to 61 wherein the Public Key 
Certificate does not contain any identity information pertaining to the Registered 
Person to whom the Public Key Certificate has been issued. 

25 63. The method according to any one of claims 57 to 62 where a plurality of 
asynunetric cryptographic Private Keys are stored under the control of the portable 
personal computing device and Public Key Certificates corresponding respectively to 
different asynunetric cryptographic Private Keys are issued by a plurality of entities. 

30 64. The method according to any one of claims 57 to 63 wherein the portable 
personal computing devices with associated asymmetric cryptographic Private Key 
storage are initially distributed without Private Keys being yet stored under the control 
of the personal computing devices, 

■ 

35 65. The method according to any one of claims 57 to 64 wherein Digital Signature 
codes are created for given data items within the electronic record system in order to 
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explicitly link each digitally signed data item to the value of an electronic record 
pointer contained in a Public Key Certificate issued to the Registered Person and 
associated with the Digital Signature codes. 

5 66. The method according to any one of claims 57 to 65 wherein verification using 
the Public Key Certificate of a given Digital Signature code for a given data item in the 
electronic record system is used to evince the association of the data item with an 
electronic record pointer value contained in the Public Key Certificate. 

10 67- The method according to any one of claims 57 to 66 wherein Digital Signature 
codes are created for given data items in the electronic record system using an 
as3a3imetric cryptographic Private Key issued to the Registered Person where each 
Digital Signature code is interpreted as explicitly recording the consent of the 
Registered Person to die creation of each respective digitally signed the data item. 

15 

68. The method according to any one of claims 57 to 67 wherein access to an 
electronic record system is granted to the holder of a portable personal computing 
device based on the success of an asymmetric cryptographic challenge-response where 
the challenge utilises the Public Key associated with digitally signed data items 

20 contained in the electronic record system and the response utilises a Private Key 
controlled by the portable personal computing device. 

69. The method according to any one of claims 57 to 68 wherein Public Key 
Certificates associated with one electronic record system are issued corresponding to 

25 respective asymmetric cryptographic Private Keys stored under the control of portable 
personal computing devices issued by a plurality of entities. 

70. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is a government issued identity card. 

30 

71. The method according to any one of claims 57 to 70 wherein the portable 
personal computing device is a government issued entitlement card. 

72. The method according to any one of claims 57 to 69 wherein the portable 
35 personal computing device is issued by a financial institution to a customer of the 

financial institution. 
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73. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is issued on behalf of a financial institution to a customer of 
the financial institution. 

5 

74. The method according to any one of claims 57 to 71 wherein the portable 
personal computing device forms part of a government issued travel document. 

75. The method according to any one of claims 57 to 71 wherein the portable 
10 personal computing device is a vehicle driver license. 

76. The method according to any one of claims 57 to 71 wherein the portable 
personal computing device is a business license. 

15 77. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is issued by or on behalf of a commercial organisation to 
one of its customers. 

78. The metiiod according to any one of claims 57 to 69 wherein the portable 
20 personal computing device is issued by or on behalf of an educational institution to a 

student. 

79. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is issued by or on behalf of an employer to one of its 

25 employees. 

80. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is issued by or on behalf of an association to one of its 
members. 

30 

81. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is a subscriber identification module within a mobile 
telephone. 
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82. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is a subscriber identification token associated with a 
subscription television set-top box. 

5 83. The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is a road toll identification device. 

84, The method according to any one of claims 57 to 69 wherein the portable 
personal computing device is a radio frequency identification tag. 

10 

85- The method according to any one of claims 57 to 84 wherein the electronic 
record system is for the purpose of recording votes in an electoral system cast by the 
Registered Person to whom the portable personal computing device has been issued. 

15 86, The method according to any one of claims 57 to 85 wherein the electronic 
record system is for the purpose of undertalcing commercial transactions with the 
Registered Person to whom the portable personal computing device has been issued. 

87, The method according to any one of claims 57 to 86 wherein the electronic 
20 record system is for the purpose of accoxmting for the movements of the Registered 

Person to whom the portable personal computing device has been issued. 

88, The method according to any one of claims 57 to 87 wherein the electronic 
record system is an electronic health record system. 

25 

89, The method according to any one of claims 57 to 88 wherein the electronic 
record system is for the purpose of managing customer accounts. 

* 

90, The method according to any one of claims 57 to 89 wherein the electronic 
30 record system is for the purpose of managing a customer loyalty programme. 

91, The method according to any one of claims 57 to 90 wherein the electronic 
record system holds personal information collected from the Registered Person to 
whom the portable personal computing device has been issued. 
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92. A means for issuing Public Key Certificates to Registered Persons within an 
electronic record system, the means comprising the elements of: 

One or more portable personal computing devices with the ability to 
control the storage of one or more asymmetric cryptographic Private Keys. 
A recognised authoritative entity to issue the portable personal computing 
devices to Registered Persons about whom personal information is held 
within the electronic record system. 

Human readable identity information pertaining to the Registered Persons 
visibly printed on the surface of respective the portable personal 
computiag devices. 

A key generation system to create at least one pair of asymmetric 
cryptographic Private arid Public Keys for each Registered User. 
A Public Key Certificate issued to each Registered Person corresponding 
to each asymmetric cryptographic Private Key stored under the control of 
the portable personal computing devices. 

At least one electronic record pointer contained within the data contents of 
each Public Key Certificate where the electronic record pointer may be 
used to index records within the electronic record system pertaining to the 
Registered Person to whom each Public Key Certificate has been issued. 
A Certification Authority which creates the Public Key Certificates for the 
Registered Persons. 

93. The means according to claim 92 wherein Digital Signature codes created for 
given data items within the electronic record system are interpreted as explicitly linking 

25 each digitally signed data item to the value of an electronic record pointer contained in 
a Public Key Certificate issued to the Registered Person and associated with tiie Digital 
Signature codes. 

94. The means according to either of claims 92 or 93 wherein the verification using 
30 the Public Key Certificate of a given Digital Signature code for a given data item in the 

electronic record system is iaterpreted to evince the association of the data item with an 
electronic record pointer value contained in the Public Key Certificate. 

95. The means according to any one of claims 92 to 94 wherein Digital Signature 
35 codes created for given data items in the electronic record system using an asymmetric 

cryptographic Private Key issued to tiie Registered Person are interpreted as recording 
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the consent of the Registered Person to the creation of each respective digitally signed 
the data item. 



